Context-sensitive confidentiality within federated environments

ABSTRACT

Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

RELATED INVENTION

The present invention is related to commonly-assigned U.S. Pat. No.7,346,923 (Ser. No. 10/719,490, filed Nov. 21, 2003), which is titled“Federated Identity Management within a Distributed Portal Server”. Thiscommonly-assigned invention is referred to herein as “the relatedinvention” and is hereby incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to computer software, and deals moreparticularly with techniques for achieving context-sensitiveconfidentiality within a federated environment for which content isaggregated in a distributed Web portal (or similar aggregationframework).

2. Description of the Related Art

Web portals (sometimes referred to equivalently as portal platforms,portal systems, or portal servers) are designed to serve as a gateway,or focal point, for access to an aggregation or collection ofinformation and applications from many different sources. Portals oftenprovide an end user view, commonly referred to as a “portal page”. Aportal page is often structured as a single overview-style page (whichmay provide links for the user to navigate to more detailedinformation). Alternatively, portal pages may be designed using anotebook paradigm whereby multiple pages are available to the user uponselecting a tab for that page. (Other frameworks which aggregate contentand/or services may have characteristics analogous to those of a portal.The term “portal”, as used herein, is intended to include such otheraggregation frameworks.)

In addition to providing for content delivery to end users, Web portalsare increasingly used as gateways to so-called “Web services” (i.e.,network-accessible services) for distributed computing. Web services area rapidly emerging technology for distributed application integration ina distributing computing environment such as the Internet. In general, a“Web service” is an interface that describes a collection ofnetwork-accessible operations. Web services fulfill a specific task or aset of tasks, and may work with one or more other Web services in aninteroperable manner to carry out their part of a complex workflow or abusiness transaction. For example, completing a complex purchase ordertransaction may require automated interaction between an order placementservice (i.e., order placement software) at the ordering business and anorder fulfillment service at one or more of its business partners.

With Web services, distributed network access to software becomes widelyavailable for program-to-program operation, without requiringintervention from humans. Web services are generally structured using amodel in which an enterprise providing network-accessible servicespublishes the services to a network-accessible registry, and otherenterprises needing services (or human beings searching fornetwork-accessible services) are able to query the registry to learn ofthe services' availability. (Hereinafter, references to an entity oruser making use of Web services are intended to include programmaticentities as well as human beings.) The participants in this computingmodel are commonly referred to as (1) service providers, (2) servicerequesters, and (3) service brokers. These participants, and thefundamental operations involved with exchanging messages between them,are illustrated in FIG. 1. The service providers 100 are the entitieshaving services available, and the registry to which these services arepublished 110 is maintained by a service broker 120. The servicerequesters 150 are the entities needing services and querying 140 theservice broker's registry. When a desired service is found using theregistry, the service requester binds 130 to the located serviceprovider in order to use the service. These operations are designed tooccur programmatically, without requiring human intervention, such thata service requester can search for a particular service and make use ofthat service dynamically, at run-time. The Web services model istheoretically available for any type of computing application.

Web services allow applications and services (referred to hereinafter asservices for ease of reference) to interact with one another usingWeb-based standards. A number of standards are being promulgated in theWeb services arena as the problems inherent in that environment becomebetter understood. A complete discussion of these protocols is beyondthe scope of the present discussion, but basic protocols on which Webservices work is being built include HTTP (“Hypertext TransferProtocol”), SOAP (“Simple Object Access Protocol”), and WSDL (“WebServices Description Language”). HTTP is commonly used to exchangemessages over TCP/IP (“Transmission Control Protocol/Internet Protocol”)networks such as the Internet. SOAP is an XML (“Extensible MarkupLanguage”) based protocol used to send messages for invoking methods ina distributed environment. WSDL is an XML format for describingdistributed network services.

For more information on SOAP, refer to “Simple Object Access Protocol(SOAP) 1.1, W3C Note 08 May 2000”, which is available from the WorldWide Web Consortium, or “W3C”. The WSDL specification is titled “WebServices Description Language (WSDL) 1.1, W3C Note 15 Mar. 2001”, and isalso available from the W3C. HTTP is described in Request For Comments(“RFC”) 2616 from the Internet Engineering Task Force, titled “HypertextTransfer Protocol—HTTP/1.1” (June 1999). It should be noted thatreferences herein to “HTTP” are intended in a generic sense to refer toHTTP-like functions. Some Web services operations, for example, requireHTTPS instead of HTTP, where HTTPS is a security-enhanced version ofHTTP.

The goal of Web services is to provide service requesters withtransparent access to program components which may reside in one or moreremote locations, even though those components might run on differentoperating systems and/or be written in different programming languagesthan those of the requester.

A federation within a Web services context relates to collaborationamong loosely-coupled and complementary Web services across securitydomains. For example, suppose employees from two companies would like tomeet with one another, and that the two companies have differentautomated calendar/meeting services, each of which providescomplementary functionality (e.g., by managing employee's schedules).Federating these complementary services would allow the independentcalendar services to exchange application information, enabling theemployees to establish the joint meeting using their respective calendarservices.

While support for Web services and portals in federated environmentscontinues to make great progress, areas remain where improvements can bemade.

SUMMARY OF THE INVENTION

An object of the present invention is to provide context-sensitiveconfidentiality within a federated environment.

Another object of the present invention is to provide context-sensitiveconfidentiality in an environment that leverages a distributed Webportal for aggregating a plurality of views or services.

A further object of the present invention is to define techniques forsecurely transmitting messages within a federation that spans multipletrust models, where one or more intermediaries along a particularmessage path may need access to security-sensitive portions of atransmitted message.

Yet another object of the present invention is to provide techniqueswhereby security-sensitive information transmitted with a message can beselectively disclosed to entities that are authorized to access thatinformation.

Still another object of the present invention is to define techniqueswhereby a message can carry security-sensitive information for multipleintended receivers, such that each intended receiver can access only thesecurity-sensitive information specifically intended for that receiver.

Other objects and advantages of the present invention will be set forthin part in the description and in the drawings which follow and, inpart, will be obvious from the description or may be learned by practiceof the invention.

To achieve the foregoing objects, and in accordance with the purpose ofthe invention as broadly described herein, the present invention may beprovided as methods, systems, and/or computer program products. In oneaspect, techniques are providing for achieving context-sensitiveconfidentiality among security domains within a federated environment,further comprising: determining a route to be taken by a message to betransmitted in the federated environment, where the route spans aplurality of the security domains; determining rights of nodes to beencountered on the determined route to access security-sensitiveportions of the message; selectively protecting the security-sensitiveportions of the message, according to the determined access rights; andtransmitting the message with its selectively-protected portions on thedetermined route.

The selective protection preferably further comprises encrypting atleast one security-sensitive portion of the message and/or computing adigital signature over at least one security-sensitive portion of themessage.

Policy may be consulted when determining the route to be taken for themessage. Policy may also, or alternatively, be consulted whendetermining the access rights for the nodes to be encountered.

A role of at least one of the nodes to be encountered may be determined,and determining the access rights may then further comprise consultingpolicy for each determined role, wherein the policy specifies accessrights for that role.

The selective protection is preferably provided by encrypting eachsecurity-sensitive portion of the message for each node and/or roledetermined to have access rights to that portion. Public keys associatedwith each of the nodes/roles are preferably used for the encrypting.

Optionally, the determined route may be specified in the transmittedmessage.

Using these techniques, upon receiving the transmitted message at aselected one of the nodes on the determined route, the node can securelyaccess only those ones of the selectively-protected portions of thereceived message to which the selected node has access rights.

The transmitted message may further contain information identifying anauthentication authority from a first of the security domains andindicate that this authentication authority has already authenticated aparty for which the message requests access to services, such that nodesreceiving the message in other ones of the security domains can bypassauthentication of the party for access to services of that othersecurity domain, upon verifying authenticity of the authenticationauthority and establishing that the authentication authority vouches forthe received message. Preferably, the authentication authority isdetermined to vouch for the received message if a digital signaturecomputed by the authentication authority and transmitted with themessage is determined, by the node receiving the message in the one ofthe other security domains, to be valid. The transmitted message maycontain security credentials of the party, where those securitycredentials have been authenticated by the identified authenticationauthority and are protected such that only authorized ones of the nodesreceiving the message in other ones of the security domains can accessthe protected security credentials. Preferably, the protected securitycredentials are encrypted using a public key of each of the authorizedones of the nodes receiving the message, such that each of theauthorized ones can decrypt the protected security credentials using acorresponding private key.

The present invention may also or alternatively be deployed as one ormore services for ensuring context-sensitive confidentiality of messagestransmitted within a federated environment. As one example, a messageconfidentiality service may be provided for securely transmittingmessages among security domains within a federated environment, and thisservice may comprise: determining a route to be taken by a message to betransmitted in the federated environment, where the route spans aplurality of the security domains; determining rights of nodes to beencountered on the determined route to access security-sensitiveportions of the message; and determining how the security-sensitiveportions of the message should be protected, according to the determinedaccess rights. A fee may be charged for performing the service.Optionally, the service may further comprise applying the determinedprotections to the security-sensitive portions.

The present invention will now be described with reference to thefollowing drawings, in which like reference numbers denote the sameelement throughout.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 provides a diagram illustrating participants and operations of aservice-oriented architecture in which Web services are deployed,according to the prior art;

FIG. 2 illustrates components of that may be involved when aconfidential message is transmitted among participants in a federatedenvironment;

FIG. 3 shows a generalized routing path between a message sender and anultimate message receiver, as well as several intermediaries along thepath that may need access to at least some security-sensitive portion ofthe message, and is used to describe operation of preferred embodiments;

FIG. 4 provides a flowchart depicting logic that may be used toimplement an embodiment of the present invention;

FIG. 5 illustrates a sample message header that may be included in atransmitted message to convey message routing information; and

FIG. 6 shows sample message contents of the type that may be transmittedby an embodiment of the present invention, illustrating encryption ofsecurity-sensitive information for intended receivers to be encounteredalong the message path to the ultimate message receiver.

DESCRIPTION OF PREFERRED EMBODIMENTS

The present invention discloses techniques for achievingcontext-sensitive confidentiality within a federated environment. Asused herein, the term “context-sensitive confidentiality” comprisesensuring that message portions that should be confidential areconfidential to all entities in the federated environment except thoseentities to which the message portions may properly be divulged. Thefederation may comprise an arbitrary number of autonomous securitydomains, and these security domains may have independent trust modelsand authentication services. Using the disclosed techniques, messagescan be routed securely within a cross-domain environment, therebyensuring that confidential information is not exposed to unintendedthird parties and that critical information is not tampered with whilein transit between security domains. Preferred embodiments leverage Webservices techniques and a number of industry standards.

The related invention disclosed techniques for managing identitiesacross autonomous security domains which may be comprised of independenttrust models, authentication services, and user enrollment services(and, optionally, authorization services). Using techniques disclosedtherein, a set of credentials is obtained for a user (whether a humanuser or a programmatic entity) accessing an aggregation point-of-contact(such as a portal interface provided by a distributed portal platform).Those credentials are then authenticated for use in the local securitydomain. By consulting policy information, other security domains forwhich the user must be authenticated are determined. (Policy informationmay be created, for example, by a systems administrator for the localsecurity domain.)

As an example, suppose the user will access an aggregated viewcomprising views of three services, each of which requiresauthentication. A first service might provide a view of this user'semployee benefits, while a second provides a view of the user's bankaccount information and a third provides a view of the user's stockportfolio. Further suppose that each service is deployed in a distinctsecurity domain, and that the employee benefits service is provided bythe local security domain (as may be the case when the user accesses theaggregated view while at work). In this example, policy informationpreferably identifies trust components that are responsible forcoordinating authentication in each of the security domains. These trustcomponents are referred to in the related invention as “trust proxies”.(In preferred embodiments of the related invention and the presentinvention, a trust proxy is preferably deployed as a Web service thatmanages trust relationships and routes authentication-related messagesbetween federation participants.)

Thus, according to the related invention, once the local trust proxydetermines that the user is authenticated for the local security domain,this local trust proxy passes information pertaining to the user'sauthenticated credentials to the trust proxy for each of the remotesecurity domains. Credential mapping operations are then carried out inthe remote security domains to determine the user's local credentialsfor each of the remote security domains. For example, the user mighthave a user identifier (“user ID”) of “Employee1234” in the localdomain; a user ID of “Account5678” in the banking domain; and a user IDof “Portfolio543” in the stock portfolio domain, where all of theseidentifiers belong to the same user. Different underlying securitytechniques may be used in the different security domains as well.Credential mapping eliminates the need for the user to provide each ofthese different user IDs (and their corresponding password) to theaggregation point, and allows each security domain to carry out its ownsecurity techniques to authenticate the user with the user credentialswhich have been established for that security domain.

Authentication results within each domain are passed to the appropriateservice deployed within that domain (e.g., informing the bank accountservice as to whether the bank account information for the user shouldbe invoked, in the example, where this bank account service operates toprovide a view that will be aggregated at the aggregationpoint-of-contact with the employee benefits information and stockportfolio information). These results are also sent to the aggregationpoint-of-contact. If the aggregation point-of-contact receivesinformation that the user is not authenticated (or not authorized) forusing services in any of the security domains, then the view of thecorresponding service will not be included in the aggregated view (andthe corresponding service, which also receives this information, shouldnot supply content to the aggregator). In preferred embodiments of therelated invention, the aggregation point-of-contact provides theaggregated views as a portal page and the remote services are Webservices-based portlets; the local service is preferably deployed as aportlet as well. The related invention therefore enables seamlesslyintegrating Web services-based portlets, which may rely on differentsecurity mechanisms and which may be deployed by various third parties,within a common portal page or other aggregation.

Several of the industry standards which are leveraged by preferredembodiments of the related and present inventions will now be described.

A specification titled “Web Services Security (WS-Security), Version1.0” and published Apr. 5, 2002 (also referred to herein as“WS-Security” or “the Web services security specification”), draftedjointly by International Business Machines Corporation (“IBM”),Microsoft Corporation, and Verisign, defines techniques that may be usedfor Web services-based message security. A specification titled “WebServices Federation Language (WS-Federation)” and published Jul. 8, 2003(also referred to herein as “WS-Federation” or “the Web servicesfederation specification”), drafted jointly by IBM, MicrosoftCorporation, and Verisign, describes a model for integratingincompatible security mechanisms or security mechanisms that aredeployed within different domains. For example, suppose two businesspartners each implement public key encryption-based identityinfrastructures, or that one of the partners happens to implement aKerberos system while the other trading partners do not. WS-Federationoffers a roadmap for how to apply Web service technologies to tie thosesystems together, leveraging lower-level Web services securityspecifications that provide support for message security, policy, trust,and privacy.

Preferred embodiments of the related and present inventions alsoleverage the specification titled “Web Services for Remote PortalsSpecification, Version 1.0” (referred to hereinafter as WSRP”), whichwas approved as an OASIS (“Organization for the Advancement ofStructured Information Standards”) standard in August, 2003 foroperating within a distributed portal environment.

According to preferred embodiments of the related and presentinventions, each trust proxy is configured with routing information andpolicy declarations to ensure that messages are only sent to trustedparties (as determined by relationships which are preferably establishedout-of-band between the various domains). Alternatively, routinginformation may be propagated within the context of a SOAP message via astateless protocol such as the Web Services Routing protocol, defined in“Web Services Routing Protocol (WS-Routing)”, published Oct. 23, 2001 byMicrosoft Corporation. This protocol specification is referred to hereinas “WS-Routing”.

These above-described specifications, which do not disclose theinventive techniques of the related or present inventions, are herebyincorporated herein by reference.

Federated identity management according to the related invention allowsservices residing in disparate security domains to interoperate andcollaborate securely, irrespective of the differences in the underlyingsecurity mechanisms and/or operating system platforms. In effect, thesecurity mechanisms are programmatically tied together, or bridged, in atransparent manner in order to enable this interoperation and securecollaboration among services. Federated identity management is one ofthe key requirements for higher-level federation scenarios.

As an example of how other scenarios build upon federated identitymanagement, consider trading partners where each partner manages anautonomous and insular supply chain. Federating the vendor supply chainswould provide a greater degree of optimization across inventory,production, distribution, and transportation systems among the tradingpartners. This level of federation implies collaboration amongenterprise resource planning (“ERP”) systems and supply chain managementdecision support services hosted by the trading partners. For example,Acme Widgets company may buy inventory from Supplier A, which in turnbuys inventory from Supplier B. There may be a number of scenarios whereSupplier B could operate more efficiently with access to selectedinformation of downstream companies such as Acme Widgets. However, eachcompany's information technology systems typically provide securitymechanisms that restrict access to core business processes to entitiesthat are authenticated and determined to be authorized for this access.Without a flexible and interoperable means of federated identitymanagement, the efficiencies associated with highly-optimized,collaborative supply chains are untenable. Using federated identitymanagement, as disclosed in the related invention, the necessaryauthorizations can be granted and subsequently verified at run time, andcommunicating entities can be authenticated (including authenticationacross security domains) to ensure that the appropriate trading partners(and only those trading partners) can access one another's supply chainsin a seamless manner. (Many other federation scenarios can be imaginedthat require federated identity management and that will thereforebenefit from techniques of the related and present inventions.)

The present invention may be used in combination with an embodiment ofthe related invention to securely transmit identity managementinformation used when federating services within an aggregation point.Alternatively, an embodiment of the present invention may be used inother environments where it is necessary to provide context-sensitiveconfidential message transmissions in a federated environment.Accordingly, references herein to the related invention are by way ofillustration but not of limitation.

FIG. 2 provides a sample federated environment and is used to show howmessages may need to be exchanged among components when aggregatingservices in a federated environment. In this sample environment 200, auser 205 interacts with a distributed portal 210 that acts as thefederation entry point (also referred to herein as an aggregationpoint-of-contact) for end users. In this example, the distributed portalaggregates, within a common portal interface, content from servicesprovided by remote portlets 230, 260 and local portlet 245, where theseservices span multiple independent security domains (shown in the figureas local security domain 275 and remote security domains 270, 280). Asdisclosed in the related invention, a generic portlet proxy 215 isresponsible for protocol conversion of messages which are published bydistributed portal 210 to local trust proxy 235. The generic portletproxy 215 may, for example, convert HTTP requests used by portal 210 toWSRP-compliant SOAP messages that can be consumed at local trust proxy235 (and vice versa). (The term “generic portlet proxy”, as used in therelated invention and as used herein, refers to a portlet that acts asan intermediary between an application or software resource requesting aparticular service and a software resource providing that service.)

Thus, when distributed portal 210 publishes a message requestingauthentication of user 205 in the local security domain 275, local trustproxy 235 communicates with local authentication service 240, whichperforms the authentication. Assuming the user is authenticated locally,results of the authentication are passed by local trust proxy 235 toremote trust proxies 220 and 250, which in turn communicate with theirown local authentication services (identified in FIG. 2 as remoteauthentication services 225 and 255, respectively) to determine whetherthe user is authenticated in the remote domains. (As disclosed in therelated invention, the user for which services are to be federated mayhave varying security identities within the different security domains270, 275, 280. Thus, credential mapping may be carried out in the remotedomains when authenticating the user for that domain.)

Each of the authentication services 225, 240, 255 is shown in FIG. 2 ascommunicating authentication results to a corresponding portlet 230,245, 260, where a service will be performed for this user (assuming theuser is authenticated and authorized for that service). In addition,each authentication service preferably communicates authenticationresults to its local trust proxy, which in turn informs the distributedportal 210 as to whether the user is authorized to view content from therespective portlet. (These latter communications have not beenillustrated in FIG. 2.) With reference to the example discussed abovewhere a user wishes to view a page aggregating views of three services,local portlet 245 represents the employee benefits service, and remoteportlets 230 and 260 represent the bank account service and stockportfolio service.

The related invention used the term “relying” service to refer to WSRPremote portlet Web services that consume authentication information froma local or remote domain in order to provide a service to analready-authenticated user (or programmatic entity). According to thepresent invention, caching may be used to optimize authenticationoperations, whereby previously-determined authentications within aparticular context can be cached for some period of time, andnewly-arriving requests pertaining to cached authentications can thenleverage the cached information rather than performing theauthentication again. In addition, preferred embodiments may cacherouting information. Caching is discussed in more detail with referenceto FIG. 4.

The sample configuration in FIG. 2 is provided for purposes ofillustration and not of limitation. It may happen, for example, thatmore than more or fewer separate security domains exist in theconfiguration of an actual distributed portal scenario. (And, in somecases, a distributed portal scenario may include one or more remoteportlets that do not require authentication, in combination with one ormore remote portlets that do require authentication.)

Note also that while discussions of the present invention are in termsof a distributed computing environment that leverages a portal platformfor aggregation, the inventive concepts are applicable to other types ofcontent frameworks or aggregators which provide analogous functionality,and thus references to portals and their portlet paradigm is by way ofillustration and not of limitation.

As stated earlier, the related invention noted that end-to-end securityin a cross-domain environment of the type illustrated in FIG. 2 ispreferably provided to ensure that confidential information is notexposed to unintended third parties and that critical information is nottampered with while in transit between the security domains. However,techniques for providing context-sensitive confidentiality in afederated environment were not disclosed therein. Those techniques arethe subject of the present invention.

The manner in which preferred embodiments of the present inventionenable context-sensitive, confidential exchange of information amongautonomous security domains will now be described in more detail.

FIG. 3 shows participants on a generalized routing path used to transmita SOAP message between a message sender 300 and an ultimate messagereceiver 340, as well as several intermediaries 310, 320, 330 that maybe encountered along the path to message receiver 340. Intermediaries310, 320, 330 are referred to in FIG. 3 using the notation “TP/SI”, anabbreviation for “trust proxy/SOAP intermediary”, indicating that thesecomponents may serve as trust proxies of the type discussed above and/oras SOAP nodes that route a message along the path from sender 300 toreceiver 340. For example, TP/SI 310 might represent the local trustproxy 235 of FIG. 2, while TP/SI 320 represents remote proxy 220 andTP/SI 330 represents remote authentication service 225; and in thisexample, message sender 300 corresponds to generic portlet proxy 215(operating on behalf of distributed portal 210) and message receiver 340corresponds to remote portlet 230. (Note that when nodes 300-340 areidentified in FIG. 3 as SOAP nodes, this implies that a servicedescription is available for each node. In alternative embodiments,nodes other than SOAP nodes may be supported.)

To ensure that messages sent among the security domains are protected,security-sensitive portions of the messages are preferably encryptedbefore transmission. A particular intermediary may need access to one ormore of these security-sensitive portions of a transmitted message forperforming functions locally. For example, when an authenticationrequest is transmitted from generic portlet proxy 215 to local trustproxy 235, the local trust proxy needs to determine what is beingrequested of the local environment and also which, if any, remote trustproxies it must contact to perform remote authentication. If informationneeded by local trust proxy 235 in the message sent from generic portletproxy 215 is encrypted, then local trust proxy 235 must be able todecrypt that information. Local trust proxy 235 can then evaluate thatdecrypted information and, upon determining that remote trust proxies220 and 250 must be contacted, sends messages to those trust proxieswherein encryption is used to protect security-sensitive information asit travels to the remote security domains. (Similarly, trust proxies inthe remote domains may need to forward information to other receivers.Preferably, each trust proxy authenticates a digital signature onreceived messages to ensure the messages are authentic prior to carryingout further operations, as in the prior art.)

FIG. 4 illustrates logic that may be used in preferred embodiments forproviding context-sensitive confidentiality for message portions thatare transmitted among federation participants, and FIGS. 5 and 6 showsample syntax that may be used for message transmission.

The processing of FIG. 4 serves to establish fine-grained protection fortransmitted messages. Beginning at Block 400, when a message sender hasa message to be transmitted, preferred embodiments dynamically resolvethe target service description of the ultimate message receiver (whichis preferably specified as a WSDL specification), thereby determiningthe messages accepted by the receiver (and other information such as theapplicable message bindings). In addition, policy information ispreferably consulted to determine which portions of the message requiresecurity protection in this context. (Preferably, policy informationused by preferred embodiments is specified according to the WS-Securityspecification). In this manner, a coarse-grained view of securityrequirements is initially established in terms of the ultimate messagereceiver.

The security requirements may comprise confidentiality, integrity,and/or authentication requirements (and authorization requirements mayalso be specified). The term “quality of protection”, or “QoP”, is usedherein to refer generally to the security requirements that may bespecified in policy information.

As an example of confidentiality requirements, the policy may specifywhether portions of the message must be encrypted in this context (wherethe context preferably comprises at least an identification of themessage sender and receiver as well as the message type), and if so,what portions must be encrypted; additional confidentiality requirementsmay also be specified in the policy information, such as requiredencryption strength or an encryption algorithm that must be used in thiscontext.

As an example of message integrity requirements, the policy may specifywhether a digital signature must be computed, and if so, what messageportions should be included in a digest to be signed and how that digestshould be computed.

Authentication requirements and/or authorization requirements may alsobe specified in the policy. In preferred embodiments, the trust proxiesare responsible for ensuring that only authorized and valid messageexchanges from authenticated entities are allowed within theirrespective security domain, thereby providing cross-federationauthentication and authorization. For example, policy is preferablyconsulted to determine whether the message sender is authorized to sendthis message to this receiver.

Preferred embodiments leverage the generic portlet proxy shown atreference number 215 to coordinate context-sensitive confidentialityoperations on behalf of the distributed portal. Accordingly, operationsshown in FIG. 4 are preferably initiated by the generic portlet proxywhen the distributed portal has a message to be transmitted. As analternative approach, local trust proxy 235 may be responsible forcoordinating the confidentiality operations upon receiving a messagefrom the generic portlet proxy.

In Block 410, a determination is made as to what route this messageshould take to its ultimate receiver. The manner in which the route isdetermined may vary, and does not form part of the inventive conceptsdisclosed herein. As one approach, the route may be determined byconsulting policy information—which may contain tuples specifying amessage sender, message type, ultimate receiver, and corresponding path,for example. Routing optimizations may be applied, if desired for aparticular environment. In preferred embodiments, the generic portletproxy requests a route resolution from the local trust proxy. The localtrust proxy may, in turn, consult another entity that is responsible forroute selection. Or, the local trust proxy may consult one or more ofthe TP/SI components to determine a route to the ultimate messagereceiver. As yet another approach, a WS-Routing declarative routingstatement may be consulted to determine the route to be taken.

According to preferred embodiments, the XML Linking (“XLink”) languageis used as a means of representing message traversal path definitions.Once a route to be taken by a message has been determined, the traversalpath definition is preferably recorded at a Uniform Resource Locator(“URL”). By including that URL in a transmitted message, each receiverof the message can therefore consult the route definition to determineany next hop(s) for the message. The XLinking language is defined in“XML Linking Language (XLink) Version 1.0, W3C Recommendation 27 Jun.2001”, which is available from the W3C. XLink syntax is well known inthe art, and a discussion thereof is not deemed necessary to anunderstanding of the present invention. (A sample message header usingXLink notation to reference a stored route is described below withreference to FIG. 5.)

Once a route has been determined, it may optionally be cached orotherwise persisted (e.g., using a URL as discussed above) forsubsequent use. For example, a particular message sender may need tosend a series of messages to a message receiver, and if apreviously-determined route is available, then the route determinationcan be bypassed. (Preferably, route caching considers the message typeas well as the message sender and receiver; additional and/or differentfactors may be deemed pertinent in a particular environment.)

Preferred embodiments may also cache, at one or more nodes along a path,information comprising (1) whether the user is already authenticated tothe local service; (2) whether the user's authorization for this servicehas already been determined (e.g., by comparing the user's credentialsto stored policy information); and (3) which are the “next hops” in thispath (i.e., the neighboring nodes to which the message should berouted). Subsequently, if a message is received for analready-authenticated user whose authorization is already determined,the authentication and authorization-checking for that user can bebypassed.

As shown in Block 420, after determining the message route, a quality ofprotection overlay is then performed. In preferred embodiments, thiscomprises harvesting policy information for all intermediaries that willbe encountered along the selected route to the ultimate messagereceiver. Preferably, a WSDL specification for each of theintermediaries is consulted, and policy information of the intermediaryis thereby identified. Or, roles of each intermediary may be used whenlocating appropriate policy information. For example, policy may specifythat an intermediary in the role of routing entity is allowed only toview information pertaining to the selected route for the message orperhaps a subset of the route (such as an identification of the nexthop), while intermediaries in the role of trust proxy are allowed toview additional information. As another example, policy may specify thata trusted entity that caches content should be allowed to decryptselected portions of encrypted content within a transmitted message; or,if authentications are to be cached, as discussed earlier, then anencrypted message portion preferably contains the authenticationinformation to be decrypted by the trusted entity that performs thisauthentication caching. This policy information as to which messageportions should be accessible may be referred to as “entitlements” ofmessage recipients.

The policy information obtained at Block 420, along with the policyinformation obtained at Block 400, is then analyzed to resolve anyconflicts that may exist. (Conflict resolution, in this case, preferablyincludes using the most-restrictive or most-secure choice when multiplechoices are present.) In this manner, the generic portlet proxy candetermine the type(s) of fine-grained protection that are required forsecure, context-sensitive message transmission (i.e., providing theproper encryption, digital signatures, and so forth, as specified by thepolicy overlay, for transmitting this particular message on thisparticular route).

When a route between the message sender and receiver is available fromcache, as discussed above, then the intermediary-specific policyinformation (and corresponding conflict resolutions, if any) may also becached, thereby yielding further efficiencies in message transmissionwithout jeopardizing message confidentiality.

Once the appropriate security requirements for the message have beendetermined, a message reflecting those requirements is generated (Block430). Preferred embodiments enable a particular security-sensitivemessage portion to be encrypted for subsequent decryption by multiplereceivers. For example, each trust proxy 220, 235, 250 may need to knowan identifier of a portal page for which authentication is beingrequested as well as the user ID and password provided by the user foraccessing that portal page.

As stated earlier, even though the user's credentials may be differentin remote security domains 270, 280, transmitting the credentialsprovided for accessing local security domain 275 to those other domainsenables seamlessly retrieving the user's credentials for the remotedomains via credential mapping. Therefore, it is necessary to protectthe already-authenticated credentials that are in transit to the remotesecurity domains. A security token, as described in the WS-Securityspecification, may be used to specify information for secure messageexchanges among trusted parties, and in particular, to specify thecredentials to be transmitted among trusted parties. In a simple format,a security token according to this WS-Security specification uses a“UsernameToken” element to encapsulate a user name and optionalpassword. Depending on security policy, it may be desirable to encryptthe contents of this UsernameToken element. (Refer to the relatedinformation for a more detailed discussion of security tokens andexamples of their use. Encryption of the contents of this element,however, was not discussed in the related invention.)

Alternatively, there may be one or more security-sensitive messageportions to which only a single intermediary should be allowed access,and preferred embodiments also support this approach. Suppose, forexample, that generic portlet proxy 215 is adapted to specify onemessage portion containing routing information that is deemed to besecurity-sensitive (and that routing intermediaries that do not serve astrust proxies will need to decrypt this message portion), anothermessage portion containing security-sensitive information that is onlyto be decrypted by the local trust proxy, and yet another messageportion that is to be decrypted by the local and remote proxies.Embodiments of the present invention preferably enable each of thesemessage portions to be encrypted for its intended receivers (even thoughsome redundancy may result).

If the policy indicates that a selected message portion is to beencrypted in a manner that enables each trust proxy to decrypt thatmessage portion, for example, then the message portion is preferablyencrypted once for each intended trust proxy, preferably using a publickey of each intended trust proxy to separately encrypt the messageportion. (Public keys of entities may be readily obtained using priorart techniques.) Or, if the policy indicates that a only particular oneof the trust proxies (or perhaps one of the portlets) should have accessto a message portion, then that message portion is encrypted only once(preferably using a public key of the intended receiver).

One or more message digests and digital signatures may also be computedat Block 430, as required to carry out the fine-grained protection ofthe message according to security requirements specified by the policyoverlay, and the digital signature(s) are then preferably added to themessage.

Note that the encrypted message portions and any digital signature(s)included with the message must conform to the applicable schema for themessage (i.e., a valid message syntax must result). Preferredembodiments use XML Schema Definition (“XSD”) annotations to referencethe applicable schema within the SOAP message to be transmitted. Referto FIG. 6, which is discussed below, for an example of syntax that maybe used to protect selected message portions.

In Block 440, the context-sensitive confidential message is transmittedfrom the sender according to the determined route. Upon receipt at eachintermediary, the intermediary locates the message portions to which itcan obtain access, and when public key cryptography was used to encryptthose portions, the receiving intermediary uses its private key fordecryption.

FIG. 5 shows a sample SOAP header 500 that may be used for specifying areference to a path stored as an XLink, where a header of this type maybe appended to outbound SOAP messages to convey the path to be taken bythe message. This header 500 contains a <traversalPathRef> tag 505(which, in the example of FIG. 5, is prepended with a name spaceidentifier of “p” for “path”), and this <traversalPathRef> tag providesa reference 510 to a hypothetical linkset which stores more detailedinformation about the path (including identifiers of the nodes orintermediaries on the path). In the example of FIG. 5, the value of the“href” attribute 510 indicates that the traversal path information isstored in a linkbase document accessible using the URL“http://ibm.SampleRoute/linkbase/lb.xml”. This URL provides acommonly-accessible means for nodes receiving a message to reference thedetermined route, and the node can use that information to determinewhere it should forward the message.

FIG. 6 provides an example of syntax that may be used to protectselected message portions, wherein a message includes security-sensitiveinformation that has been encrypted for intended receivers that will beencountered along the message path to the ultimate message receiver.Preferably, a tag syntax is used for the messages. A sample syntax for amessage header 600 is shown in FIG. 6, and is for purposes ofillustration only.

A message type is preferably specified in the transmitted message, andmessage recipients (including intermediaries) preferably inspect thismessage type to determine whether the message should contain protectedsecurity-sensitive portions to be decrypted by that recipient. Seereference number 605, which indicates that this sample message header isfor a “contentRequest” message. The message may, for example, requestcontent from the employee benefits service, bank account service, andstock portfolio service in the federation scenario discussed earlier.(In this example, the message preferably contains distinct protectedcontent for each receiving service, such that only the bank accountservice has access to the user's bank account number and so forth,although this level of detail has not been illustrated in the samplemessage header in FIG. 6.)

The message preferably contains an element that an arbitrary messagerecipient (including intermediaries) can consult to determine where tofind message portions that are to be decrypted by the message recipient.Obviously, this particular element should be specified in the clear. InFIG. 6, a “<securityHeader>” element 610 is provided for this purpose,and contains a set of “<msgReceiver>” elements 615, 620 . . . which eachspecify information about a particular intended receiver or a set ofreceivers described by a particular role. In the example, a particularmessage receiver is identified in element 615 by its IP address and portnumber (i.e., “1.2.3.4:999”), and a set of receivers is identified inelement 620 by their role “remote trust proxy” (for purposes ofillustration). A “<receiverID>” and “<receiverRole>” tag, respectively,are used for these different types of information. Each “<msgReceiver>”element also contains a “<receiverTagName>” element that identifies thename of the tag where this intended receiver's security-protectedinformation may be found. Thus, the receiver identified by IP addressand port number in element 615 can find its protected information in thetag named “<1234Tag>”, which is shown at reference number 625.Similarly, the receiver(s) identified by role in element 620 can findprotected information in the tag named “<RTPTag>” (where “RTP” is usedas an abbreviation for “remote trust proxy”), and this tag is shown atreference number 630. In tags 625 and 630, the contained information maybe encrypted; it may contain digital signature information; and soforth. (As will be obvious once the teachings disclosed herein areknown, information of the type illustrated in FIG. 6 may be presented ina number of different ways without deviating from the scope of thepresent invention.)

Techniques which have been disclosed may be used advantageously forsecuring messages in many environments, including dynamic work flowscenarios where a target service provider may be unknown to the messagesender and/or may change over the course of a long-running transaction.For example, Acme Widget may desire to allow its supplier'ssupplier—which, in the above-described example, was Supplier B—to accessAcme's confidential information, even though the identity of Supplier Bwas not configured into Acme's information technology systems.Irrespective of uncertainties of this type, preferred embodiments enableaccess to sensitive information to be protected, determining the neededprotections in a flexible and efficient manner within messages thatremain independent of the federation topology.

Optionally, a set of public keys may be established, corresponding tothe entities or intermediaries to be encountered on a selected route. Anidentifier may be assigned to the set, such that a message sender caneasily request the key set associated with the route when preparing toencrypt message portions of a message to be transmitted on that route.

As has been demonstrated, the present invention provides advantageoustechniques for context-sensitive confidentiality within a federatedenvironment, enabling various receivers of a transmitted message toaccess aspects of the message without necessarily being able to accessthe entire message. Preferred embodiments leverage open standards. Notethat while particular standards (such as WS-Routing, SOAP, and so forth)have been referenced when describing preferred embodiments, this is forpurposes of illustrating the inventive concepts of the presentinvention: alternative means for providing the analogous functionalitymay be used without deviating from the scope of the present invention.

The term “service” as used herein includes a composite service, as wellas the sub-services which have been aggregated to form that compositeservice. The term “portlet” is used herein in an illustrative sense andincludes component implementations which adhere to component modelsother than the portlet model which has been illustrated.

Several commonly-assigned and co-pending inventions will now bediscussed, and will be distinguished from the teachings of the presentinvention.

Commonly-assigned and co-pending U.S. Patent Application 20030135628(Ser. No. 10/047,811; which is titled “Provisioning Aggregated Servicesin a Distributed Computing Environment”, discloses techniques thatenable heterogeneous identity systems to be joined in the dynamic,run-time Web services integration environment. This application,referred to herein as “the provisioning invention”, is herebyincorporated herein by reference. A provisioning interface was disclosedin the provisioning invention to enable automatically and dynamicallyfederating the heterogeneous identity systems which may be in use amongthe services which are aggregated as a composite service. Techniquesdisclosed therein allow users (whether human or programmatic) to beseamlessly authenticated and authorized, or “identified”, for using thedynamically-integrated services. According to the provisioninginvention, this seamless identification may be provided using a singlesign-on, or “unified login”, for an aggregated service, wherein theprovisioning interface of the aggregated service can be used to solicitall required information from a user at the outset of executing theaggregated service. A “stacking” approach was described whereby userpasswords (or other credentials, equivalently, such as tickets ordigital certificates) to be provided to the sub-services of anaggregated service are encrypted for securely storing. The sub-servicesare invoked in a specified order during execution, according to adefinition that is preferably specified in the Web Services FlowLanguage (“WSFL”), and the stacked passwords are then unstacked andpresented to the appropriate authentication or authorizationsub-service.

The present invention, by contrast, does not use stacking ofcredentials, and does not rely on a provisioning interface of a Webservice. In addition, a user of the present invention is not required toprovide credentials beyond those needed for the application or serviceto which the user is initially authenticated: credentials required forsubsequently-accessed services are determined dynamically, usingcredential mapping, as discussed above.

Commonly-assigned and co-pending U.S. Patent Application 20030163513(Ser. No. 10/081,300; which is titled “Providing Role-Based Views fromBusiness Web Portals”, discloses techniques for federating user profileinformation. This application, referred to herein as the role-basedviews application, also discloses techniques for providing this userprofile information using a single sign-on approach, whereby identifyinginformation obtained when a user begins to use a portal can beprogrammatically obtained and used by sub-services of an aggregatedservice. A federated authentication of an end user is performed (asdisclosed in the provisioning invention); security attributes (such asthe user's role) which are relevant for authorization are acquired, forthis authenticated user; and profile data associated with these securityattributes is resolved. Refer to this commonly-assigned application,which is hereby incorporated herein by reference, for more information.

The role-based views application does not teach techniques forcontext-sensitive confidentiality as disclosed in the present invention.

The provisioning application and the role-based views application assumethat each Web service implements its own authentication andauthorization operations. As a result, the provisioning application andthe role-based views application do not address security domainscenarios where trust, authentication, and/or authorization authoritiesimplement a collective quality of protection spanning distributedservices. Enterprise computing environments are expected to deployapplications and services in interconnected and/or disparate domains toachieve desirable scaling, security, and/or other relevant operationalcharacteristics. This model, although not addressed in the provisioningapplication and the role-based views application, is supported byembodiments of the present invention.

As will be appreciated by one of skill in the art, embodiments of thepresent invention may be provided as methods, systems, or computerprogram products. Accordingly, the present invention may take the formof an entirely hardware embodiment, an entirely software embodiment, oran embodiment combining software and hardware aspects. Furthermore, thepresent invention may take the form of a computer program product whichis embodied on one or more computer-usable storage media (including, butnot limited to, disk storage, CD-ROM, optical storage, and so forth)having computer-usable program code embodied therein.

The present invention has been described with reference to flow diagramsand/or block diagrams of methods, apparatus (systems), and computerprogram products according to embodiments of the invention. It will beunderstood that each flow and/or block of the flow diagrams and/or blockdiagrams, and combinations of flows and/or blocks in the flow diagramsand/or block diagrams, can be implemented by computer programinstructions. These computer program instructions may be provided to aprocessor of a general purpose computer, special purpose computer,embedded processor, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable data processingapparatus, create means for implementing the functions specified in theflow diagram flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in acomputer-readable memory that can direct a computer or otherprogrammable data processing apparatus to function in a particularmanner, such that the instructions stored in the computer-readablememory produce an article of manufacture including instruction meanswhich implement the function specified in the flow diagram flow or flowsand/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer orother programmable data processing apparatus to cause a series ofoperational steps to be performed on the computer or other programmableapparatus to produce a computer implemented process such that theinstructions which execute on the computer or other programmableapparatus provide steps for implementing the functions specified in theflow diagram flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have beendescribed, additional variations and modifications in those embodimentsmay occur to those skilled in the art once they learn of the basicinventive concepts. Therefore, it is intended that the appended claimsshall be construed to include preferred embodiments and all suchvariations and modifications as fall within the spirit and scope of theinvention.

1. A system for achieving context-sensitive confidentiality amongsecurity domains within a federated environment that spans a pluralityof security domains, comprising: a computer comprising a processor; andinstructions executable, using the processor, to implement functions of:determining a route to be taken by a content request message to betransmitted from a content requester in the federated environment to acontent provider in the federated environment, wherein: the routecomprises a network transmission path which begins at the contentrequester and ends at the content provider and passes through aplurality of intermediary nodes, each of the intermediary nodes locatedbetween the content requester and the content provider on the networktransmission path; the route is determined by consulting stored policythat specifies, for the content requester sending the content requestmessage to the content provider, the network transmission path; and theroute spans a plurality of the security domains; storing the determinedroute at a network-accessible location; determining, prior totransmitting the content request message from the content requester, aplurality of portions of the content request message that aresecurity-sensitive, further comprising using a context to consult storedpolicy that identifies the security-sensitive portions which areapplicable to said context, wherein the context comprises anidentification of the content requester, an identification of thecontent provider, and a message type identifying the content requestmessage; determining, prior to transmitting the content request messagefrom the content requester, rights of each of the intermediary nodes toaccess each of the determined security-sensitive portions of the contentrequest message, further comprising consulting stored policy for each ofthe intermediary nodes, wherein the stored policy specifies whether saidintermediary node is entitled to access said security-sensitive portionof the content request message; specifying, in unencrypted form in thecontent request message, the message type; an identifier of thenetwork-accessible location where the determined route is stored; and aplurality of message receiver elements, wherein a separate one of themessage receiver elements is specified for each of the intermediarynodes that is entitled to access each of the security-sensitiveportions, the separate one specifying an identification of saidintermediary node as a permitted receiver of that saidsecurity-sensitive portion and a node-specific keyword corresponding tosaid intermediary node; selectively protecting the security-sensitiveportions of the content request message, according to the determinedaccess rights by encrypting, for each of the security-sensitive portionsof the content request message, that security-sensitive portionseparately for each distinct one of the intermediary nodes which isentitled to access said security-sensitive portion and storing saidseparately-encrypted security-sensitive portion in the content requestmessage in association with the node-specific keyword corresponding tothe distinct one of the intermediary nodes, thereby enabling each of theintermediary nodes to locate and access each of the security-sensitiveportions which the intermediary node is entitled to access andpreventing said intermediary node from accessing any of thesecurity-sensitive portions which it is not entitled to access; andtransmitting the content request message with said selectively-protectedportions from the content requester to the content provider on thedetermined route, wherein: the transmitted content request messagecontains information identifying an authentication authority from afirst of the security domains and an identification of a party for whichthe content request message requests access to services and indicatesthat the identified authentication authority has already authenticatedthe party using security credentials of the party in the first securitydomain; the intermediary nodes and the content provider, upon receivingthe content request message in other ones of the security domains,bypass authentication of the party for access to services of said othersecurity domain, upon verifying authenticity of the authenticationauthority, establishing that the authentication authority vouches forthe received content request message, and using the identification ofthe party to locate previously-stored security credentials for the partywhich are usable within the other security domain; and the securitycredentials for the party in at least one of the other security domainsare different from the security credentials of the party in the firstsecurity domain.
 2. The system according to claim 1, wherein theselectively protecting further comprises computing a digital signatureover at least one of the security-sensitive portions of the contentrequest message.
 3. The system according to claim 1, wherein thefunctions further comprise determining a role of at least one of theintermediary nodes, and wherein determining the access rights furthercomprises using the determined role when consulting the stored policy,wherein the stored policy specifies whether nodes in said role areentitled to access this security-sensitive portion of the contentrequest message.
 4. The system according to claim 1, wherein theencrypting uses a public key associated with each of the intermediarynodes for which the encrypting operates.
 5. The system according toclaim 1, wherein the functions further comprise: receiving thetransmitted content request message at a selected one of theintermediary nodes on the determined route; using the identifier of thenetwork-accessible location where the determined route is stored, by theselected one, to locate a next hop for forwarding the content requestmessage from the selected one on the determined route; locating, by theselected one, each of the separate ones of the message receiver elementsthat specifies the identification of the selected one and retrievingtherefrom the specified node-specific keyword; and securely accessingonly those ones of the selectively-protected portions of the receivedcontent request message to which the selected one has access rights byusing each of the retrieved node-specific keywords to locate and accessonly those ones of the security-sensitive portions which the selectedone is entitled to access.
 6. The system according to claim 1, whereinthe authentication authority is determined to vouch for the receivedcontent request message if a digital signature computed by theauthentication authority and transmitted with the content requestmessage is determined, by the intermediary node or the content provider,upon receiving the content request message in the one of the othersecurity domains, to be valid.
 7. The system according to claim 1,wherein the transmitted content request message contains securitycredentials of the party, where the security credentials have beenauthenticated by the identified authentication authority and areprotected such that only authorized ones of the intermediary nodes andthe content provider, upon receiving the content request message inother ones of the security domains, can access the protected securitycredentials.
 8. A computer program product for achievingcontext-sensitive confidentiality among security domains within afederated environment that spans a plurality of security domains, thecomputer program product embodied on one or more computer-readablestorage media and comprising computer-executable program instructionsfor: determining a route to be taken by a content request message to betransmitted from a content requester in the federated environment to acontent provider in the federated environment, wherein: the routecomprises a network transmission path which begins at the contentrequester and ends at the content provider and passes through aplurality of intermediary nodes, each of the intermediary nodes locatedbetween the content requester and the content provider on the networktransmission path; the route is determined by consulting stored policythat specifies, for the content requester sending the content requestmessage to the content provider, the network transmission path; and theroute spans a plurality of the security domains; storing the determinedroute at a network-accessible location; determining, prior totransmitting the content request message from the content requester, aplurality of portions of the content request message that aresecurity-sensitive, further comprising using a context to consult storedpolicy that identifies the security-sensitive portions which areapplicable to said context, wherein the context comprises anidentification of the content requester, an identification of thecontent provider, and a message type identifying the content requestmessage; determining, prior to transmitting the content request messagefrom the content requester, rights of each of the intermediary nodes toaccess each of the determined security-sensitive portions of the contentrequest message, further comprising consulting stored policy for each ofsaid intermediary nodes, wherein the stored policy specifies whetherthis intermediary node is entitled to access said security-sensitiveportion of the content request message; specifying, in unencrypted formin the content request message, the message type; an identifier of thenetwork-accessible location where the determined route is stored; and aplurality of message receiver elements, wherein a separate one of themessage receiver elements is specified for each of the intermediarynodes that is entitled to access each of the security-sensitiveportions, the separate one specifying an identification of saidintermediary node as a permitted receiver of said security-sensitiveportion and a node-specific keyword corresponding to said intermediarynode; selectively protecting the security-sensitive portions of thecontent request message, according to the determined access rights byencrypting, for each of the security-sensitive portions of the contentrequest message, that security-sensitive portion separately for eachdistinct one of the intermediary nodes which is entitled to access saidsecurity-sensitive portion and storing said separately-encryptedsecurity-sensitive portion in the content request message in associationwith the node-specific keyword corresponding to the distinct one of theintermediary nodes, thereby enabling each of the intermediary nodes tolocate and access each of the security-sensitive portions which theintermediary node is entitled to access and preventing said intermediarynode from accessing any of the security-sensitive portions which it isnot entitled to access; and transmitting the content request messagewith said selectively-protected portions from the content requester tothe content provider on the determined route, wherein: the transmittedcontent request message contains information identifying anauthentication authority from a first of the security domains and anidentification of a party for which the content request message requestsaccess to services and indicates that the identified authenticationauthority has already authenticated the party using security credentialsof the party in the first security domain; the intermediary nodes andthe content provider, upon receiving the content request message inother ones of the security domains, bypass authentication of the partyfor access to services of said other security domain, upon verifyingauthenticity of the authentication authority, establishing that theauthentication authority vouches for the received content requestmessage, and using the identification of the party to locatepreviously-stored security credentials for the party which are usablewithin the other security domain; and the security credentials for theparty in at least one of the other security domains are different fromthe security credentials of the party in the first security domain. 9.The computer program product according to claim 8, wherein theselectively protecting further comprises computing a digital signatureover at least one of the security-sensitive portions of the contentrequest message.
 10. The computer program product according to claim 8,further comprising determining a role of at least one of theintermediary nodes, and wherein determining the access rights furthercomprises using the determined role when consulting the stored policy,wherein the stored policy specifies whether nodes in said role areentitled to access this security-sensitive portion of the contentrequest message.
 11. The computer program product according to claim 8,wherein the encrypting uses a public key associated with each of theintermediary nodes for which the encrypting operates.
 12. The computerprogram product according to claim 8, further comprisingcomputer-executable program instructions for: receiving the transmittedcontent request message at a selected one of the intermediary nodes onthe determined route; using the identifier of the network-accessiblelocation where the determined route is stored, by the selected one, tolocate a next hop for forwarding the content request message from theselected one on the determined route; locating, by the selected one,each of the separate ones of the message receiver elements thatspecifies the identification of the selected one and retrievingtherefrom the specified node-specific keyword; and securely accessingonly those ones of the selectively-protected portions of the receivedcontent request message to which the selected one has access rights byusing each of the retrieved node-specific keywords to locate and accessonly those ones of the security-sensitive portions which the selectedone is entitled to access.
 13. The computer program product according toclaim 8, wherein the authentication authority is determined to vouch forthe received content request message if a digital signature computed bythe authentication authority and transmitted with the content requestmessage is determined, by the intermediary node or the content provider,upon receiving the content request message in the one of the othersecurity domains, to be valid.
 14. The computer program productaccording to claim 8, wherein the transmitted content request messagecontains security credentials of the party, where the securitycredentials have been authenticated by the identified authenticationauthority and are protected such that only authorized ones of theintermediary nodes and the content provider, upon receiving the contentrequest message in other ones of the security domains, can access theprotected security credentials.